Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Inline templates do not sanitize the inline variables properly.
This has slipped through the cracks since the test is not actually using an unsafe string. If I change the test to include some unsafe characters it fails:
public function testInlineTemplate() {
// ...
$element = array();
$element['test'] = array(
'#type' => 'inline_template',
'#template' => 'test-with-context {{ lama }}',
'#context' => array('lama' => '<script>alert(\'oops\');</script>'),
);
$this->assertEqual(drupal_render($element), 'test-with-context ' . String::checkPlain('<script>alert(\'oops\');</script>'));
// ...
Comment | File | Size | Author |
---|---|---|---|
#8 | interdiff.txt | 2.01 KB | pfrenssen |
#8 | autoescape-2330503-8.patch | 4.19 KB | pfrenssen |
Comments
Comment #1
dawehneroh damn.
Comment #2
pfrenssenThis is blocking #2273923: Remove html => TRUE option from l() and link generator..
Comment #3
dawehnerLet's harden it
Comment #4
pfrenssenPatch looks good so far. Do you think it's a good idea to also update
testInlineTemplate()
to use an unsafe string?Comment #5
pfrenssenI deleted the patch from #3 accidentally. Here it is again.
Comment #6
dawehner+1 for the idea in #4
Comment #7
pfrenssenI'll add it.
Comment #8
pfrenssenComment #9
chx CreditAttribution: chx commentedThis looks great! I can't believe I missed this :(
Comment #10
dawehnerI have to say multiple times sorry, multiple times!
Comment #11
chx CreditAttribution: chx commentedThis is the result of a manual merge went wrong in https://www.drupal.org/files/issues/2251113-70.patch -- but we caught it quite quick thanks @pfrenssen.
Comment #12
catchGood catch, better now than later.
Committed/pushed to 8.x, thanks!
Comment #15
xjm